CISA Adds Roundcube Email Software Vulnerability to Known Exploited Vulnerabilities Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has flagged a medium-severity security flaw affecting Roundcube email software as actively exploited, prompting its addition to the Known Exploited Vulnerabilities (KEV) catalog.

Tracked as CVE-2023-43770 with a CVSS score of 6.1, the vulnerability involves a cross-site scripting (XSS) issue arising from the handling of linkrefs in plain text messages within Roundcube Webmail.

CISA warned that the flaw could result in information disclosure through malicious link references in plain/text messages. The vulnerability impacts Roundcube versions preceding 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3, according to the National Vulnerability Database (NVD).

Roundcube addressed the issue in version 1.6.3, released on September 15, 2023. The discovery of the vulnerability is credited to Zscaler security researcher Niraj Shivtarkar.

While the specific exploitation methods remain undisclosed, past incidents have seen web-based email client vulnerabilities exploited by threat actors like APT28 and Winter Vivern, associated with Russia.

U.S. Federal Civilian Executive Branch (FCEB) agencies have been directed to apply vendor-provided fixes by March 4, 2024, to safeguard their networks against potential threats posed by the Roundcube vulnerability.